block ciphers what is a block cipher?spark-university.s3.amazonaws.com/stanford-crypto/... · the...
Post on 19-Jul-2020
9 Views
Preview:
TRANSCRIPT
Dan Boneh
Block ciphers
What is a block cipher?
Online Cryptography Course Dan Boneh
Dan Boneh
Block ciphers: crypto work horse
E, D CT Block
n bits
PT Block
n bits
Key k bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
Dan Boneh
Block Ciphers Built by Iteration
R(k,m) is called a round function
for 3DES (n=48), for AES-128 (n=10)
key k
key expansion
k1 k2 k3 kn R
(k1,
)
R(k
2,
)
R(k
3,
)
R(k
n,
)
m c
Dan Boneh
Performance: Crypto++ 5.6.0 [ Wei Dai ]
AMD Opteron, 2.2 GHz ( Linux)
Cipher Block/key size Speed (MB/sec)
RC4 126
Salsa20/12 643
Sosemanuk 727
3DES 64/168 13
AES-128 128/128 109
blo
ck stream
Dan Boneh
Abstractly: PRPs and PRFs • Pseudo Random Function (PRF) defined over (K,X,Y):
F: K X Y
such that exists “efficient” algorithm to evaluate F(k,x)
• Pseudo Random Permutation (PRP) defined over (K,X):
E: K X X
such that: 1. Exists “efficient” deterministic algorithm to evaluate E(k,x)
2. The function E( k, ) is one-to-one
3. Exists “efficient” inversion algorithm D(k,y)
Dan Boneh
Running example
• Example PRPs: 3DES, AES, …
AES: K X X where K = X = {0,1}128
3DES: K X X where X = {0,1}64 , K = {0,1}168
• Functionally, any PRP is also a PRF.
– A PRP is a PRF where X=Y and is efficiently invertible.
Dan Boneh
Secure PRFs • Let F: K X Y be a PRF
Funs[X,Y]: the set of all functions from X to Y
SF = { F(k,) s.t. k K } Funs[X,Y]
• Intuition: a PRF is secure if a random function in Funs[X,Y] is indistinguishable from a random function in SF
SF
Size |K|
Funs[X,Y]
Size |Y||X|
Dan Boneh
Secure PRFs • Let F: K X Y be a PRF
Funs[X,Y]: the set of all functions from X to Y
SF = { F(k,) s.t. k K } Funs[X,Y]
• Intuition: a PRF is secure if a random function in Funs[X,Y] is indistinguishable from a random function in SF
k K
f Funs[X,Y] x X
f(x) or F(k,x) ? ???
Dan Boneh
Secure PRPs (secure block cipher)
• Let E: K X Y be a PRP
Perms[X]: the set of all one-to-one functions from X to Y
SF = { E(k,) s.t. k K } Perms[X,Y]
• Intuition: a PRP is secure if a random function in Perms[X] is indistinguishable from a random function in SF
k K
π Perms[X] x X
π(x) or E(k,x) ? ???
Let F: K X {0,1}128 be a secure PRF.
Is the following G a secure PRF?
G(k, x) = 0 128 if x=0
F(k,x) otherwise
No, it is easy to distinguish G from a random function
Yes, an attack on G would also break F
It depends on F
Dan Boneh
An easy application: PRF ⇒ PRG
Let F: K {0,1}n {0,1}n be a secure PRF.
Then the following G: K {0,1}nt is a secure PRG:
G(k) = F(k,0) ll F(k,1) ll ⋯ ll F(k,t-1)
Key property: parallelizable
Security from PRF property: F(k, ) indist. from random function f()
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
The data encryption standard (DES)
Online Cryptography Course Dan Boneh
Dan Boneh
Block ciphers: crypto work horse
E, D CT Block
n bits
PT Block
n bits
Key k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
Dan Boneh
Block Ciphers Built by Iteration
R(k,m) is called a round function
for 3DES (n=48), for AES-128 (n=10)
key k
key expansion
k1 k2 k3 kn R
(k1,
)
R(k
2,
)
R(k
3,
)
R(k
n,
)
m c
Dan Boneh
The Data Encryption Standard (DES)
• Early 1970s: Horst Feistel designs Lucifer at IBM
key-len = 128 bits ; block-len = 128 bits
• 1973: NBS asks for block cipher proposals. IBM submits variant of Lucifer.
• 1976: NBS adopts DES as a federal standard
key-len = 56 bits ; block-len = 64 bits
• 1997: DES broken by exhaustive search
• 2000: NIST adopts Rijndael as AES to replace DES
Widely deployed in banking (ACH) and commerce
Dan Boneh
DES: core idea – Feistel Network
Given functions f1, …, fd: {0,1}n ⟶ {0,1}n
Goal: build invertible function F: {0,1}2n ⟶ {0,1}2n
In symbols:
input output
Rd-1
Ld-1
Rd
Ld
R0
L0
n-b
its n
-bits
R1
L1
⊕
f1
R2
L2
⊕
f2 ⋯
⊕
fd
Dan Boneh
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n
Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible
Proof: construct inverse
Ri-1
Li-1
Ri
Li
⊕
fi
inverse Ri-1 = Li
Li-1 = fi(Li) ⨁ Ri
input output
Rd-1
Ld-1
Rd
Ld
R0
L0
n-b
its n
-bits
R1
L1
⊕
f1
R2
L2
⊕
f2 ⋯
⊕
fd
Dan Boneh
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n
Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible
Proof: construct inverse
Ri-1
Li-1
Ri
Li
⊕
fi
inverse
input output
Rd-1
Ld-1
Rd
Ld
R0
L0
n-b
its n
-bits
R1
L1
⊕
f1
R2
L2
⊕
f2 ⋯
⊕
fd
Ri
Li
Ri-1
Li-1
⊕
fi
Dan Boneh
Decryption circuit
• Inversion is basically the same circuit, with f1, …, fd applied in reverse order
• General method for building invertible functions (block ciphers) from arbitrary functions.
• Used in many block ciphers … but not AES
R1
L1
R0
L0
Rd
Ld
n-b
its n
-bits
Rd-1
Ld-1
⊕
fd
Rd-2
Ld-2
⊕
fd-1 ⋯ ⊕
f1
Dan Boneh
“Thm:” (Luby-Rackoff ‘85):
f: K × {0,1}n ⟶ {0,1}n a secure PRF
⇒ 3-round Feistel F: K3 × {0,1}2n ⟶ {0,1}2n a secure PRP
R3
L3
R0
L0
input
R1
L1
⊕
f
R2
L2
⊕
f
⊕
f
output
Dan Boneh
DES: 16 round Feistel network
f1, …, f16: {0,1}32 ⟶ {0,1}32 , fi(x) = F( ki, x )
input
64
bit
s
output
64
bit
s
16 round Feistel network
IP IP-1
k
key expansion
k1 k2 k16 ⋯
To invert, use keys in reverse order
Dan Boneh
The function F(ki, x)
S-box: function {0,1}6 ⟶ {0,1}4 , implemented as look-up table.
Dan Boneh
The S-boxes
Si: {0,1}6 ⟶ {0,1}4
Dan Boneh
Example: a bad S-box choice
Suppose:
Si(x1, x2, …, x6) = ( x2⨁x3, x1⨁x4⨁x5, x1⨁x6, x2⨁x3⨁x6 )
or written equivalently: Si(x) = Ai⋅x (mod 2)
We say that Si is a linear function.
0 1 1 0 0 0 1 0 0 1 1 0 1 0 0 0 0 1 0 1 1 0 0 1
x1
x2
x3
x4
x5
x6
. = x2⨁x3
x1⨁x4⨁x5
x1⨁x6
x2⨁x3⨁x6
Dan Boneh
Example: a bad S-box choice Then entire DES cipher would be linear: ∃fixed binary matrix B s.t.
But then: DES(k,m1) ⨁ DES(k,m2) ⨁ DES(k,m3)
B m k1
k2
k16
. = c
832
64
⋮
DES(k,m) =
= DES(k, m1⨁m2⨁m3)
B ⨁ B ⨁ B = B m1
k m2
k m3
k
m1⨁m2⨁m3
k⨁k⨁k
(mod 2)
Dan Boneh
Choosing the S-boxes and P-box
Choosing the S-boxes and P-box at random would result in an insecure block cipher (key recovery after ≈224 outputs) [BS’89]
Several rules used in choice of S and P boxes:
• No output bit should be close to a linear func. of the input bits
• S-boxes are 4-to-1 maps
⋮
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
Exhaustive Search Attacks
Online Cryptography Course Dan Boneh
Dan Boneh
Exhaustive Search for block cipher key
Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,3
find key k.
Lemma: Suppose DES is an ideal cipher
( 256 random invertible functions )
Then ∀ m, c there is at most one key k s.t. c = DES(k, m)
Proof: with prob. ≥ 1 – 1/256 ≈ 99.5%
Dan Boneh
Exhaustive Search for block cipher key
For two DES pairs (m1, c1=DES(k, m1)), (m2, c2=DES(k, m2)) unicity prob. ≈ 1 - 1/271
For AES-128: given two inp/out pairs, unicity prob. ≈ 1 - 1/2128
⇒ two input/output pairs are enough for exhaustive key search.
Dan Boneh
DES challenge msg = “The unknown messages is: XXXX … “
CT = c1 c2 c3 c4
Goal: find k ∈ {0,1}56 s.t. DES(k, mi) = ci for i=1,2,3
1997: Internet search -- 3 months
1998: EFF machine (deep crack) -- 3 days (250K $)
1999: combined search -- 22 hours
2006: COPACOBANA (120 FPGAs) -- 7 days (10K $)
⇒ 56-bit ciphers should not be used !! (128-bit key ⇒ 272 days)
Dan Boneh
Strengthening DES against ex. search
Method 1: Triple-DES
• Let E : K × M ⟶ M be a block cipher
• Define 3E: K3 × M ⟶ M as
For 3DES: key-size = 3×56 = 168 bits. 3×slower than DES.
(simple attack in time ≈2118 )
3E( (k1,k2,k3), m) =
Dan Boneh
Why not double DES? • Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) )
Attack: M = (m1,…, m10) , C = (c1,…,c10).
• step 1: build table.
sort on 2nd column
key-len = 112 bits for DES
m E(k2,⋅) E(k1,⋅) c
k0 = 00…00 k1 = 00…01 k2 = 00…10
⋮ kN = 11…11
E(k0 , M) E(k1 , M) E(k2 , M)
⋮ E(kN , M)
256 entries
Dan Boneh
Meet in the middle attack
Attack: M = (m1,…, m10) , C = (c1,…,c10)
• step 1: build table.
• Step 2: for all k∈{0,1}56 do:
test if D(k, C) is in 2nd column.
if so then E(ki,M) = D(k,C) ⇒ (ki,k) = (k2,k1)
m E(k2,⋅) E(k1,⋅) c
k0 = 00…00 k1 = 00…01 k2 = 00…10
⋮ kN = 11…11
E(k0 , M) E(k1 , M) E(k2 , M)
⋮ E(kN , M)
Dan Boneh
Meet in the middle attack
Time = 256log(256) + 256log(256) < 263 << 2112 , space ≈ 256
Same attack on 3DES: Time = 2118 , space ≈ 256
m E(k2,⋅) E(k1,⋅) c
m E(k2,⋅) E(k1,⋅) c E(k3,⋅)
Dan Boneh
Method 2: DESX
E : K × {0,1}n ⟶ {0,1}n a block cipher
Define EX as EX( (k1,k2,k3), m) = k1 ⨁ E(k2, m⨁k3 )
For DESX: key-len = 64+56+64 = 184 bits
… but easy attack in time 264+56 = 2120 (homework)
Note: k1 ⨁ E(k2, m) and E(k2, m⨁k1) does nothing !!
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
More attacks on block ciphers
Online Cryptography Course Dan Boneh
Dan Boneh
Attacks on the implementation 1. Side channel attacks:
– Measure time to do enc/dec, measure power for enc/dec
2. Fault attacks:
– Computing errors in the last round expose the secret key k
⇒ do not even implement crypto primitives yourself …
[Kocher, Jaffe, Jun, 1998] smartcard
Dan Boneh
Linear and differential attacks [BS’89,M’93]
Given many inp/out pairs, can recover key in time less than 256 .
Linear cryptanalysis (overview) : let c = DES(k, m)
Suppose for random k,m :
Pr[ m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] = k[l1]⨁⋯⨁k[lu] ] = ½ + ε
For some ε. For DES, this exists with ε = 1/221 ≈ 0.0000000477
Dan Boneh
Linear attacks
Pr[ m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] = k[l1]⨁⋯⨁k[lu] ] = ½ + ε
Thm: given 1/ε2 random (m, c=DES(k, m)) pairs then
k[l1,…,lu] = MAJ [ m[i1,…,ir] ⨁ c[jj,…,jv] ]
with prob. ≥ 97.7%
⇒ with 1/ε2 inp/out pairs can find k[l1,…,lu] in time ≈1/ε2 .
Dan Boneh
Linear attacks
For DES, ε = 1/221 ⇒
with 242 inp/out pairs can find k[l1,…,lu] in time 242
Roughly speaking: can find 14 key “bits” this way in time 242
Brute force remaining 56−14=42 bits in time 242
Total attack time ≈243 ( << 256 ) with 242 random inp/out pairs
Dan Boneh
Lesson
A tiny bit of linearly in S5 lead to a 242 time attack.
⇒ don’t design ciphers yourself !!
Dan Boneh
Quantum attacks
Generic search problem:
Let f: X ⟶ {0,1} be a function.
Goal: find x∈X s.t. f(x)=1.
Classical computer: best generic algorithm time = O( |X| )
Quantum computer [Grover ’96] : time = O( |X|1/2 )
Can quantum computers be built: unknown
Dan Boneh
Quantum exhaustive search Given m, c=E(k,m) define
Grover ⇒ quantum computer can find k in time O( |K|1/2 )
DES: time ≈228 , AES-128: time ≈264
quantum computer ⇒ 256-bits key ciphers (e.g. AES-256)
1 if E(k,m) = c
0 otherwise f(k) =
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
The AES block cipher
Online Cryptography Course Dan Boneh
Dan Boneh
The AES process
• 1997: NIST publishes request for proposal
• 1998: 15 submissions. Five claimed attacks.
• 1999: NIST chooses 5 finalists
• 2000: NIST chooses Rijndael as AES (designed in Belgium)
Key sizes: 128, 192, 256 bits. Block size: 128 bits
Dan Boneh
AES is a Subs-Perm network (not Feistel) in
pu
t
⨁
S1
S2
S3
S8
⋯
ou
tpu
t
subs. layer
perm. layer inversion
k1
⨁
S1
S2
S3
S8
⋯
k2 S1
S2
S3
S8
⋯ ⨁
⋯
kn
Dan Boneh
AES-128 schematic
input
4
4
10 rounds
(1) ByteSub (2) ShiftRow (3) MixColumn
⨁
k2
⋯
k9
⨁ (1) ByteSub
(2) ShiftRow (3) MixColumn
⨁
k1
⨁
k0
(1) ByteSub (2) ShiftRow
output
4
4
⨁
k10
key
16 bytes
key expansion:
invertible
16 bytes ⟶176 bytes
Dan Boneh
The round function
• ByteSub: a 1 byte S-box. 256 byte table (easily computable)
• ShiftRows:
• MixColumns:
Dan Boneh
Code size/performance tradeoff
Code size Performance
Pre-compute round functions (24KB or 4KB)
largest fastest:
table lookups and xors
Pre-compute S-box only (256 bytes)
smaller slower
No pre-computation smallest slowest
Dan Boneh
Example: Javascript AES
AES library (6.4KB)
no pre-computed tables
AES in the browser:
Prior to encryption: pre-compute tables
Then encrypt using tables
http://crypto.stanford.edu/sjcl/
Dan Boneh
AES in hardware
AES instructions in Intel Westmere:
• aesenc, aesenclast: do one round of AES
128-bit registers: xmm1=state, xmm2=round key
aesenc xmm1, xmm2 ; puts result in xmm1
• aeskeygenassist: performs AES key expansion
• Claim 14 x speed-up over OpenSSL on same hardware
Similar instructions on AMD Bulldozer
Dan Boneh
Attacks
Best key recovery attack: four times better than ex. search [BKR’11]
Related key attack on AES-256: [BK’09]
Given 299 inp/out pairs from four related keys in AES-256
can recover keys in time ≈299
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
Block ciphers from PRGs
Online Cryptography Course Dan Boneh
Dan Boneh
Can we build a PRF from a PRG?
Let G: K ⟶ K2 be a secure PRG
Define 1-bit PRF F: K × {0,1} ⟶ K as
F(k, x∈{0,1} ) = G(k)[x]
Thm: If G is a secure PRG then F is a secure PRF
Can we build a PRF with a larger domain?
G(k)[0]
k
G(k)[1]
G
Dan Boneh
Extending a PRG Let G: K ⟶ K2 .
define G1: K ⟶ K4 as G1(k) = G(G(k)[0]) ll G(G(k)[1])
G(k)[0]
k
G(k)[1]
G
G1(k)
G G
We get a 2-bit PRF:
F(k, x∈{0,1}2 ) = G1(k)[x] 00 01 10 11
Dan Boneh
G1 is a secure PRG
G(k)[0]
k
G(k)[1]
G
G1(k)
G G
00 01 10 11
random in K4
r0 r1
G G
≈p
r1
r01 r00
G
≈p
≈p
Dan Boneh
Extending more Let G: K ⟶ K2 .
define G2: K ⟶ K8 as G2(k) =
G(k)[0]
k
G(k)[1]
G
G2(k)
G G We get a 3-bit PRF
G G G G
000 001 010 011 100 101 110 111
Dan Boneh
Extending even more: the GGM PRF
Let G: K ⟶ K2 . define PRF F: K × {0,1}n ⟶ K as
k k1 k2 k3 kn
For input x = x0 x1 … xn-1 ∈ {0,1}n do:
G(k)[x0] G(k1)[x1] G(k2)[x2] G(kn-1)[xn-1] ⋯
Security: G a secure PRG ⇒ F is a secure PRF on {0,1}n .
Not used in practice due to slow performance.
Secure block cipher from a PRG?
Can we build a secure PRP from a secure PRG?
No, it cannot be done
Yes, just plug the GGM PRF into the Luby-Rackoff theorem
It depends on the underlying PRG
Dan Boneh
End of Segment
top related